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Current  Threat  Environment 


•  Usual  view  of  threat  environment 

•  Looking  backwards  from  today’s  threats 

•  Looking  forwards  to  future  threats 

•  The  need  for  prevention  is  pressing 
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Usual  view  of  threat  environment 


90%  of  US  businesses  report  being  backed 
59%  report  being  hacked  more  than  once 


TOTAL  MALWARE 

2SO.OOQ.OOO 


Target  Earnings  Slide  46%  After  Data  Breach 


Q  Email  ^  Print 


mn&n 


$12  for  12  Weeks  subscribe  now 


Sources:  Poneman  Institute,  CNNMoney  study,  May  28,  2014;  McAfee  Quarterly  Threat  Report,  June  2014;  Wall  Street  Journal,  Feb  26,  2014 
retailcustomerexperience.com  -  5_lessons_learned_from_recent_retail_data_breaches.pdf 
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Looking  backwards  from  today’s  threats 


92%  of  the  100,000  incidents  from 
the  last  1 0  years  can  be  described 
by  9  basic  patterns 

•  Insider  misuse 

•  DOS  attacks 

•  Cyber-espionage 

•  Crimeware 

•  Web  app  attacks 

•  Physical  theft  and  loss 

•  Payment  card  skimmers 

•  Point-of-sale  intrusions 

•  Miscellaneous  errors 
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Looking  forward  to  future  threats 


•  Technology 

•  Evolving  role  of  people  in  cyber 
security 

•  Learning  from  data: 
measurements,  metrics, 
analysis 
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Cyber  threats  track  evolution  of  technology 


•  Software  is  the  new 
hardware 

•  Covering  the  next  last 
mile 

•  Expanding  endpoints 


— —  _  Mark  Sherman 
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Software  is  the  new  hardware 

Cyber-physical  systems  (CPS) 
as  evolving  to  a  computer  with 
interesting  peripherals 

Airplane  function  in  software 
moved  from  8%  to  80%  since 
1960 

•  Software  defined  radios  drive 
communication 

•  Television  evolved  to  digital 
signal  processors 


IT  moving  from  specialized 
hardware  to  software,  virtualized 

Memory 

Storage 

•  Servers 

•  Switches 

•  Networks 


•  Hardware  security  needs  software  analogs 
•  New  programming  models  need  secure  coding  guidelines 
•  Guard  against  side  channel  attacks  enabled  by  virtualization 
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Covering  the  next  last  mile  -  securing  the 

border  and  end  points  The  last  mile  has  expanded  to 


Cellular 

•  Main  processor 

•  Base  band  processor 

•  Secure  element  (SIM) 

Industrial  and  home  automation 

•  SCADA 

•  Bluetooth 

•  Zigbee 

Automotive 

•  Intravehicular:  more  than  50  networked  processors 

•  Vehicle  to  infrastructure  (V2I):  congestion 
management,  emergency  services,  law 
enforcement 

•  Vehicle  to  vehicle  (V2):  safety,  efficiency 

Aviation 

•  Fly  by  wire 

•  Next  Gen  air  traffic  control 

Smart  grid 

Embedded  medical  devices 
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Evolving  role  of  people  in  cyber  security 


Analysts:  Soaring  need  for  cyber  analysts 

Bureau  of  Labor  Statistics  projects  information  security  analyst  jobs  to 
increase  by  20%  or  more  through  2018 

•  Need  validated  measurement  and  testing  of  needed  skills,  at  individual  and 
team  level 

Optimizing  analyst  effectiveness:  Automation  assists  analysts 

•  What  can  be  automated  and  what  left  to  the  analyst 

•  Trade  off  between  training  and  application 
Developers:  Development  becoming  assembly  over  creation 

•  At  least  75%  of  organizations  rely  on  open  source  as  the  foundation  of  their 
applications 

Weak  or  absent  security  tracking  in  the  software  supply  chain 
Adversaries:  Culture  role  in  cyber  security 

Cultural  influences  on  development  and  attack  behavior 
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Learning  from  data:  measurements,  metrics, 


analysis 


Biggest  challenges 

•  Determining  leading  indicators 

•  Reducing  false  positives 

Need  to  extract  information  from  data  from 
across  the  software  lifecycle 

Applying  techniques  across  disciplines 
including 

Metric  and  model  definition 

Social  and  psychological 
experimentation 

Machine  learning 

Statistical  modeling 

Applications  to 

Real-time  analysis 

•  Retrospective  insight 


Software  Engineering  Institute 


Carnegie  Mel  lon  University 


Mark  Sherman 

Cyber  Security  Foundations  Research 

©2014  Carnegie  Mellon  University  \\ 


An  ounce  of  prevention  is  worth  a  pound  of 
cure 


“We  wouldn't  have  to  spend  so  much  time, 
money,  and  effort  on  network  security  if  we 
didn't  have  such  bad  software  security.” 


Bruce  Schneier  in  Viega  and  McGraw, 
“Building  Secure  Software,”  2001 
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The  need  for  prevention  is  pressing 

Sustainment 


19%  fail  to  carry  out  27%  do  not  practice  30%  do  not  use  static  47%  do  not  perform 

security  requirement  secure  design  analysis  or  manual  code  acceptance  tests  for  third- 

definition  review  during  development  party  code 


Mission  thread 

(Business  process)  Threat 
Analysis 

* . I 


Coding 

:  Testing, 

Monitoring 

Breach 

Rules  and 

:  Validation 

Awareness 

Guidelines 

|  and 

Verification 

Abuse  |  Architecture 

Cases  |  and  Design 

■  Principles 


Requirements  and  Acquisition 

. 


Deployment  and  Operations 


More  than  81%  do  not  coordinate  their  security  practices 
in  various  stages  of  the  development  life  cycle. 

Source:  Forrester  Consulting,  “State  of  Application  Security,”  January  201 1 _ 


— —  a  Mark  Sherman 

~^=~  Software  Engineering  Institute  Carnegie  Mellon  University  cyber  security  Foundations  Research 

©2014  Carnegie  Mellon  University  14 


Security  by  default 


Software  Engineering  Institute 


Carnegie  Mel  lon  University 


Mark  Sherman 

Cyber  Security  Foundations  Research 

©2014  Carnegie  Mellon  University  15 


Contact  Information 


Mark  Sherman 

(412)268-9223 

mssherman@sei.cmu.edu 


Web  Resources  (CERT/SEI) 

http://www.cert.org/ 

http://www.sei.cmu.edu/ 
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